ardamax | b69c2a7b0733c6ca8627b2eb61708a8703cabae861e0cab33af897bb1c00aa6d

General

Target

efac191a4bb2bee5f35ac180f0a2dbc9_JaffaCakes118.exe
Size

2.5MB
MD5

efac191a4bb2bee5f35ac180f0a2dbc9
SHA1

d4e47202ec96a6adea0f7932cc9ae1cfdf31d90b
SHA256

b69c2a7b0733c6ca8627b2eb61708a8703cabae861e0cab33af897bb1c00aa6d
SHA512

b4e536949ff852ca6a2ac900e271f6b941703545915008d505fa8d487b4e2250a1c23092cf121a943e6cea455b2a87a77c2bc9b5b0dca7c43ad1b65c3f0acdfd
SSDEEP

49152:sQgS9aqmTGg8A7Z6AMGFMMgmv3q6jZhgWAz59vcPikwL:lJlg57IA3M6qYg79vcPiz

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002346d-24.dat	family_ardamax

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	efac191a4bb2bee5f35ac180f0a2dbc9_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	efac191a4bb2bee5f35ac180f0a2dbc9_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	efac191a4bb2bee5f35ac180f0a2dbc9_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
512	BHC.exe

Loads dropped DLL 1 IoCs

pid	Process
512	BHC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BHC Start = "C:\\Windows\\APUBAB\\BHC.exe"	BHC.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\APUBAB\AKV.exe	efac191a4bb2bee5f35ac180f0a2dbc9_JaffaCakes118.exe
File created	C:\Windows\APUBAB\BHC.exe	efac191a4bb2bee5f35ac180f0a2dbc9_JaffaCakes118.exe
File opened for modification	C:\Windows\APUBAB\	BHC.exe
File created	C:\Windows\APUBAB\BHC.004	efac191a4bb2bee5f35ac180f0a2dbc9_JaffaCakes118.exe
File created	C:\Windows\APUBAB\BHC.001	efac191a4bb2bee5f35ac180f0a2dbc9_JaffaCakes118.exe
File created	C:\Windows\APUBAB\BHC.002	efac191a4bb2bee5f35ac180f0a2dbc9_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efac191a4bb2bee5f35ac180f0a2dbc9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BHC.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CEBE7B8F-CEBE-7B8F-CEBE-7B8FCEBE7B8F}\InProcServer32\ = "C:\\Windows\\SysWOW64\\ieframe.dll"	efac191a4bb2bee5f35ac180f0a2dbc9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CEBE7B8F-CEBE-7B8F-CEBE-7B8FCEBE7B8F}\InProcServer32\ThreadingModel = "Apartment"	efac191a4bb2bee5f35ac180f0a2dbc9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CEBE7B8F-CEBE-7B8F-CEBE-7B8FCEBE7B8F}	efac191a4bb2bee5f35ac180f0a2dbc9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CEBE7B8F-CEBE-7B8F-CEBE-7B8FCEBE7B8F}\ = "IE Background Task Scheduler"	efac191a4bb2bee5f35ac180f0a2dbc9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CEBE7B8F-CEBE-7B8F-CEBE-7B8FCEBE7B8F}\InProcServer32	efac191a4bb2bee5f35ac180f0a2dbc9_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
512	BHC.exe
512	BHC.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1832	efac191a4bb2bee5f35ac180f0a2dbc9_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1832	efac191a4bb2bee5f35ac180f0a2dbc9_JaffaCakes118.exe
Token: 33	512	BHC.exe
Token: SeIncBasePriorityPrivilege	512	BHC.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
512	BHC.exe
512	BHC.exe
512	BHC.exe
512	BHC.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 512	1832	efac191a4bb2bee5f35ac180f0a2dbc9_JaffaCakes118.exe	83
PID 1832 wrote to memory of 512	1832	efac191a4bb2bee5f35ac180f0a2dbc9_JaffaCakes118.exe	83
PID 1832 wrote to memory of 512	1832	efac191a4bb2bee5f35ac180f0a2dbc9_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\efac191a4bb2bee5f35ac180f0a2dbc9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\efac191a4bb2bee5f35ac180f0a2dbc9_JaffaCakes118.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\APUBAB\BHC.exe
  "C:\Windows\APUBAB\BHC.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\APUBAB\AKV.exe

Filesize
490KB

MD5
4a9c593eecd544d364a177b13c2bca08

SHA1
4d45a5bd2ae551e1094eb5b05a1dd771dd5c5a2f

SHA256
f834b097641aeea37281d50353f3b88fd83749ed77a8db0bfc1f28dc1dfeac7e

SHA512
b7d5e5eb03f05763b34b722e7b19d320db3b2bb32b1d367bf79376c56a01d3c06541db6c2518623e9aa1ca6a7880189519aa1d09fe27817eb5aff67c62dfea03

Download Submit
C:\Windows\APUBAB\BHC.001

Filesize
61KB

MD5
1b96913d74f1c4f36c846c0a804a7037

SHA1
8e0dfc0012edb64042b018d470950cd5e415aa5a

SHA256
553b04ef8dd080a1c8c9b285008fbef1134c44fd98ca7cc2d3600b870882e761

SHA512
ed6b01ad0dd6ef9ed24c1e5fd8c7f6f1e68c4c5d5c1d75e770c9cda4cdde09c5eefde6009c864956ff1e1e379d40ee105bf7a1a033bd1ee95c797762d1f06f9f

Download Submit
C:\Windows\APUBAB\BHC.002

Filesize
44KB

MD5
6d836081d32019c0a5928587be5ef42c

SHA1
d51bdc15dca361f17418746bbe0efa3a7dee046c

SHA256
6ca6cab6f131ee5b69d445a64cc269f1489ee8ecaf6dbfdbc400b829490f8c21

SHA512
2cabc9d6e8f017b8f42680018cadea69824bb40ec60c7a534135c66363be1b53e575c6fe39b8861923744f62b5e531492f1d729f12de32e29ff9cf7869d22ade

Download Submit
C:\Windows\APUBAB\BHC.004

Filesize
1KB

MD5
529a3b0e2589820a4e9609cf53e7c281

SHA1
73a79b8dc3f956e5b0d9f6bdbd2ead9fd86258a1

SHA256
0f292110afb0b496d7a4dbb5f0b7578ce989c11448836d04e287bba97b55084f

SHA512
cabb89437dd8e82fa1481e0b8a604742e2ef33920b2555adfa1e80a93ef13b26508be1e81f4190b1e080c94b0e621881a7513aa9e3df81094d8f47d94f06c31a

Download Submit
C:\Windows\APUBAB\BHC.exe

Filesize
1.7MB

MD5
a2ff5d2b7214bd4c0d5e13223ece568c

SHA1
a710b1d805aba3abd7734c0c07f300d7be95a1af

SHA256
60a09a85e7779af967967925237a5408735ea2ecca9b182e0c1049f4f261b302

SHA512
909a51ab15b6b793087728bf5ddae551dbd7b32ed16929e6db0a23c897f742e2218b270c9d055fd6f261b3a1e1595daffc387511e85643bf35a8c0b6155c18d8

Download Submit
memory/512-37-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/512-34-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/1832-11-0x0000000000400000-0x00000000008F1000-memory.dmp

Filesize
4.9MB

Download
memory/1832-15-0x0000000004C70000-0x0000000004DA5000-memory.dmp

Filesize
1.2MB

Download
memory/1832-13-0x0000000000400000-0x00000000008F1000-memory.dmp

Filesize
4.9MB

Download
memory/1832-28-0x0000000004C70000-0x0000000004DA5000-memory.dmp

Filesize
1.2MB

Download
memory/1832-12-0x0000000000400000-0x00000000008F1000-memory.dmp

Filesize
4.9MB

Download
memory/1832-14-0x0000000000400000-0x00000000008F1000-memory.dmp

Filesize
4.9MB

Download
memory/1832-0-0x0000000000400000-0x00000000008F1000-memory.dmp

Filesize
4.9MB

Download
memory/1832-10-0x0000000000400000-0x00000000008F1000-memory.dmp

Filesize
4.9MB

Download
memory/1832-8-0x0000000004C70000-0x0000000004DA5000-memory.dmp

Filesize
1.2MB

Download
memory/1832-35-0x0000000000400000-0x00000000008F1000-memory.dmp

Filesize
4.9MB

Download
memory/1832-2-0x0000000004C70000-0x0000000004DA5000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads